Storing Private Health Information in the Public Cloud.

Filed under: cloud, security, sphere

There have been numerous announcements recently from Google and Microsoft related to storing health information on their servers in their grid. There has also been some controversy around these initiatives over privacy concerns, particularly because it comes from these two companies where they have already consolidated a lot of other information and leverage with respect to the IT infrastructure of both individuals and businesses.

So, let’s leave aside a question of whether it’s those two specific organizations that manage health records over any other, and whether it’s better to have any particular large corporation instead of a government entity, non-profit, or other-worldly organization in the first place. Let’s first start with abstract theory! :)

I’m going to begin by asserting that I don’t care what a company’s privacy policy is. If any organization were so good at codifying and following a particular privacy policy, why don’t they actually code it in code instead of in legalese? That way they can get specific and avoid any of the semantic dances to skirt around responsibility for which lawyers have become so infamous. Famously, possession is 99% of the law anyway, and letting others possess your data means they own it.

But I want to go even deeper than that. First, there is generally the issue of privacy. Is there any expectation of privacy in this digital age in the first place? Why should anyone need privacy if they have nothing to hide?

Well, I don’t need any privacy, but I want it. It’s that simple. Until I behave irresponsibly, defined in as context-specific and inter-subjective way as possible, then I deserve it and should have the right to it. Otherwise, we go down the slippery slope of starting with the assumption that everyone is a criminal until the individual proves otherwise, and the problem is that people over time and in aggregate generally behave about as highly as what is collectively expected of them.

There are people who think that having the oversight of some big brother who can read/monitor our thoughts will make us better as individuals and as a society. Then there are those of us who feel that the only path to true order and security in society rests with personal responsibility, and that the best the rest of us can do with respect to an individual is hope that eventually each person finds that sense within themselves with the help of loving external reinforcement. But, make no mistake about it, the external reinforcement is no substitute for personal responsibility; that type of substitution is a prostitution.

One of the highest hopes of society is that common, ordinary people will often do extraordinarily good things, and we are increasingly entering an age where unless that is the case, no amount of tracking, incarceration, punishment, deterrence, or stick will prevent people from doing stupid things.

Now that we have all that out of the way, I want to get back to technology. We are at a time where there is unprecedented research going on, with a convergence of so many disciplines, and as a result we are hitting a point where a lot of what we see with respect to the computer industry starts to become analogous to biology and life. So, who controls the PC, you or Microsoft, Apple, or the government? Is it ok for Microsoft or any other entity (RIAA) to be able to shut off your computer without your permission or control? How about delete files from your computer? What happens when computers start to become integrated?

Well, if you’re still with me and interested in seeing where I’m going with this as far as health records, access to health information is presumably of critical importance to patients. It seems to be of great use to doctors to have access to medical history from previous visits or other doctors (although sometimes I think it would be interesting to be able to get a “blind” opinion without access to *any* records…not sure that’s even an option), and part of the promise of some of these online medical initiatives is that it can be potentially very valuable to have that information readily available for things like sharing and collaborating around x-rays, or with emerging fields such as telemedicine.

So, what sort of rights do I then have to that vault of information created about me? What if a company wants to start charging me a lot of money for continued access to it, or changes that privacy policy to something that I don’t like, or shares it with people where I don’t approve, or won’t share it with people where I insist? What happens when there is an outage and my doctor(s) can’t access my information in a timely fashion?

Then, let’s suppose that sometime down the line (not sure how long, but it seems to be happening), a company develops a mechanism to monitor an individual’s vital signs and administer drugs automatically and accordingly. Who has control over that? Will it be more like ADT or like OnStar, where they either just monitor things remotely or start to exercise certain levels of remote control, such as changing doses? Will there be a kill switch? Will there be a black box in case anything goes wrong? These issues are directly and highly related to the problem of control and access to health information, because they reflect the growing trend of a SaaS world where data lives in the cloud, and individuals have no significant leverage once a certain level of monopoly or oligopoly becomes established. What good is choice, if there are only lies to choose from?

In order to avoid a situation where people and individuals have no practical choice in these matters, we need to establish a place in “the cloud” where the individual starts by having total control, where they can then require other individuals and external entitites come to them where the default will be privacy, if not secrecy, if not security;. At least then there will be an understood and practical alternative and reference point for what private and personal even means, where people can actually decide if they want to surrender or share a certain level of control with some external entity.

From an architectural and technological standpoint, we can relatively easily provide a private and secure place for the individual to store their own medical records. Then, if they want to give access to their doctor, they can do so. If the doctor requests permission to be able to reference their case in the future, they might provide that, providing that the doctor agrees not to share that with others. If that information somehow gets out, they will know that it was that particular doctor, and word will travel pretty quickly that the doctor didn’t honor the doctor/patient relationship.

Off the top of my head, I can’t think of a single organism that has succeeded/survived/thrived where the individual in the end didn’t have final say and control. Does anything remotely resembling the borg actually exist anywhere in nature? I don’t actually know, it’s a non-rhetorical question.

If not, then why are we heading further and further down the road where individuals, as a part of larger organizations, no longer have any real decision-making power? Have you ever talked to a cell phone company representative? You might as well be talking to the company’s computer system, where the representative can only really follow policies that have been set somewhere centrally by some sort of bean counter. I have thankfully not had to deal with a case of an insurance company overriding the judgment of a doctor, but I imagine it is quite the same.

We should start moving in the opposite direction, where people are in control of their own context, in their own community, without anything “above” them in authority that can sweep down from the sky/net and literally take their life at any time. Do we know that these behaviors have definitely made the world a better place? That question, on the other hand, is rhetorical. First, let us all do no harm.